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Putting it all together in the context 
of a Zero Day Threat 


ALL ABOUT SECURITY 


https://learninglabs.cisco.com/tracks/devnet- 

express-security 


Putting It ail together In the context of a Zero Day Threat 

Using ai we have teamed in the previous sessions of DevNet Express for Security, let s try Id create a woridkiw using APIs to deal wflh 
this type of zero-day aoack. 

e * Hourt 


'J Your Zero-day Mi a mod description 

L#«rn Boot r. z*no-d*p sTtocfco mo an lamp** *Ky&Q** to oetand uang APto from Caoc eacury products Th#*# ana Python -baBOd axari c*e; bo ray also ha|p you bifid Python MU 

<J Th* ftnt zoro-doy nrwaaion: Uee AMP to find rogue endpcwnta 

Look * a<l fh* endpoint* avert toga to f y^t out abnormal mtiftcti buc* aa flat and tha* SHA* On wrhch en dp orrt * h*a mab**re baan eaaciAed? Lat a uaa AMP to find out 

•J The eeoood m u wore Uaa Identrty Servica £ng*ia <ISE) 

Find d»a ANC *u*r*r*na pglcy fipm tSE and apply that pokey to *ouga endptmC* found ai fii*l zero-day AMP nu»aon 

•J The third mieeion Uaa Cisco threat Gnd 

Thraat hunting mtrfect* |S*A veKael bahmov and bukd moottoni to natwgrk artfacta <C*uc*» aa domama and IP addm a aa i: ho firth**- nvarhgrt* and anfpeca 

^ The fourth zero day miaeion: Cotact mielligenc e on domain* and addraaaaa 

Thtaac hunting using UtabraA* Imaaeg*!* to edaet tmaJIgano* an r* Domana/IPa 10 *r#<yo* and eoman tha thraat 

•J The fifth rtre day mieainn Uaa Umbrella Fnfmr.^rmnt 

E ^woarram on the dome ra found maiedua 10 anfore* and ecman th* apraad «# threat 

'J The aitfti rarodey miaaion Enforce by blocking makeiou* do m ain* on Mart- Oan Firawat 

E«*o*c*rram on th* donwa found maiedua on n#xi g*n Tree* to anfore* and co nt a in tha apraad of thraat 


Logr co Start Wcoua 
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Objectives of this module 


• Leverage APIs to show how all Cisco products can be tied 
together to automate the zero day work flow. 

• Collect all the characteristics/signatures behind the possible 
attack using AMP. 

• Validate the collected intelligence with Threat Grid and 
Umbrella. 

• Deploy the intelligence to the NGFW, Umbrella and ISE to 
protect and contain the threat. 


©2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 


.ih.iii. 

DEVNET 

express 



Get your hands dirty with 

The Mission! 



k 




B r&f itfJP / , 


. 111 ■ 111 ■ 

_ CISCO 

DEVNET 

express 

LISTEN > LEARN » PUT IT INTO PRACTICE 


ALL ABOUT SECURITY 


The Mission 


Estimated time: 10 minutes 


Mission 1: 

Use AMP to find rogue endpoints 


• Make a GET call to request Events. 

• Figure out from the Events list which 
endpoints malware event has executed. 

• Create the list of infected machines and 
the associated SHAs. 


Revisit the concepts under the AMP 
module of the track. 

Check the request URL to ensure it’s 
created correctly. Check here: 

https://api-docs. amp, cisco, com 

You can also find the Malware ID in the API 
docs. 
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ALL ABOUT SECURITY 


The Mission 


Estimated time: 10 minutes 


Mission 2: 

Nuke the endpoints to Quarantine with ISE 


• Create request URL and apply appropriate 
filters. 

• Perform a GET call to find the ANC policy 
and apply that policy to the endpoint with 
MAC address 11:22:33:44:55. 


• Revisit the concepts under the ISE module. 

• Make sure to parse the JSON 
appropriately. 
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ALL ABOUT SECURITY 


The Mission 


Estimated time: 10 minutes 


Mission 3: 

Collect Intelligence on malicious SHA using Threat Grid 


• Collect intelligence on the SHA found in 
your AMP mission. 

• Parse and find the associated IPs and 
Domains. 


• Revisit the concepts under Threat Grid 
module. 

• Make sure to parse the JSON 
appropriately. 
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ALL ABOUT SECURITY 


The Mission 


Estimated time: 15 minutes 


Mission 4: 

Collect Intelligence on the domains using Umbrella Investigate 


Objectives 

• Collect intelligence on the domains found 
in the Threat Grid mission. 

• Use Umbrella to get intelligence on domain 
data. 


Things to Consider 

• Revisit to the concepts under the Umbrella 
Investigate module. 

• Make sure to parse the JSON 
appropriately. 


©2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 


.ih.iii. 

DEVNET 

express 







Get your hands dirty with 

The Mission! 



k 




B r&f itfJP / , 


. 111 ■ 111 ■ 

_ CISCO 

DEVNET 

express 

LISTEN > LEARN » PUT IT INTO PRACTICE 


ALL ABOUT SECURITY 


The Mission 


Estimated time: 15 minutes 


Mission 5: 

Block the malicious domains using Umbrella Enforcement 


Objectives 

• This hands-on exercise presents an 
opportunity to use a POST request. 

• Enforce your network policy using Umbrella 
to ensure malware on rouge endpoints 
can’t call home and neutralize the threat. 


Things to Consider 

• Revisit to the concepts under Umbrella 
Enforcement learning labs. 

• Make sure to parse the JSON 
appropriately. 
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ALL ABOUT SECURITY 


The Mission 


Mission 6: 

Block malicious domains on 
REST APIs 


Objectives 

• Block URLs/Domains on the NGFW. 

• Use FDM APIs to accomplish this goal. 
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the firewall using FDM 


Things to Consider 

• Revisit the concepts under Firepower FDM 
module. 

• Make sure to parse the JSON 
appropriately. 
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Wrap Up 


Developed simple Zero-day threat investigation 
automation workflow 


• We created a very simple workflow, using APIs. 

• We identified the Rouge endpoints where malware has executed in our network 
using AMP for endpoints. 

• We used ISE to quarantine these endpoints to contain the known threats. 

• We used the AMP data to collect intelligence on the SHAs using Threat Grid. 

• We developed the IPs and Domain list associated with these SHAs from Threat 
Grid. 

• We used Umbrella investigate to gather intelligence on the Domains/IPs. 

• We used Umbrella Enforcement to contain the threat and prevent the malware 
from executing, as it can’t call home. 

• We used FDM APIs to enforce and contain the threat on the firewalls. 
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@CiscoDevNet 
#DevNetExpress 
facebook.com/ciscodevnet/ 
http://github.com/CiscoDevNet 

©2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 


developer.cisco.com 

. 

DEVNET 

express 







• 111 ■ 111 • 

_ CISCO. _ 

DEVNET 

express 

LISTEN > LEARN » PUT IT INTO PRACTICE 


@CiscoDevNet | ttDevNetExpress 





